FireFox Extensions Liable to Allow Hackers Access to User Data

It has recently been discovered that a flaw exists in the way FireFox handles extensions that has the potential to expose millions of users to malicious code hidden.

Researchers from Northeastern University in Boston found that the flaw would allow hackers to stealthily execute malicious code hiding behind a seemingly benign extension, such as NoScript and Firebug, and steal data.

What happens is the flaw fails to isolate various browser add-ons. This allows them to connect to the capabilities of other popular third-party extensions.

The researchers wrote in a paper: "These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks."

Hackers could exploit an extension reuse flaw by developing their own add-ons that hide malicious code and tap into the legitimate functions of popular extensions.

Connecting to other legitimate extensions would allow a hacker to bypass Firefox’s security checks and extension vetting processes and gain access to a user's machine.

Because the extensions use elevated privileges, the hidden malicious code can be used to steal passwords, private browsing data and system resources.